Today, the ECJ declared the EU-US Privacy Shield invalid with immediate effect in the case Schrems v. Facebook (Case C-311/18). This has significant consequences for data transfers to the US. There is a need for action!!!
A data transfer to the USA is therefore currently only possible if a special data transfer agreement containing the standard contractual clauses (SCC) approved by the EU Commission has been concluded between the contracting parties or if the contracting party in the USA has implemented binding internal data protection regulations (BCR) approved by a European supervisory authority.
Check whether you are transferring data to the U.S., for example, because a service provider or an affiliated company is based there. If you are transferring data, then the next step is to check whether the SCC has already been concluded with the company in the USA. If there is no SCC, it should be concluded as soon as possible. Until the SCC has been concluded, you should suspend the transfer of data to the USA. The ECJ ruling contains further requirements regarding the design of the data transfer process, including verification obligations and the agreement of information obligations of the service provider.
Your service providers could also transfer your data to the USA. This is the case if subcontractors of your service provider or companies affiliated with it are used in the USA. Your contractors are obliged by the order processing agreement to transfer data to the USA only if a valid legal basis for this can be demonstrated, e.g. the conclusion of SCC. Our recommendation: Approach your service providers and ask for proof that SCCs have been concluded with subcontractors located in the USA. Until you have this proof, you should prohibit the transfer of data to the USA within the scope of your right to issue instructions.
If you transfer data to the USA without a valid legal basis, you may be subject to a fine of up to €20 million or 4% of the annual turnover, whichever is higher, pursuant to Art. 83 (5) lit. c GDPR. We assume that the supervisory authorities will increasingly monitor this in the future – similar to the last ruling when Safe Habour, the predecessor of Privacy Shield, was overturned. In particular, it will be necessary to adapt data protection declarations. We will be happy to act for you here.
If you operate a Facebook fan page or use Google Analytics, your contractual partner is the European branch of Facebook or Google. The responsibility for the data transfer to the USA lies entirely with Facebook or Google. Thus, operating a Facebook fan page or using Google Analytics is still possible.
The standard contractual clauses are already included in the terms of use for Microsoft products. You can therefore continue to use software or cloud solutions from Microsoft.
The press release on the ruling can be found at:
https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091de.pdf
You can find the full text of the ruling at:
http://curia.europa.eu/juris/documents.jsf?num=C-311/18
